#!/usr/bin/env dash
#
# This file is part of OpenMediaVault.
#
# @license   https://www.gnu.org/licenses/gpl.html GPL Version 3
# @author    Volker Theile <volker.theile@openmediavault.org>
# @copyright Copyright (c) 2009-2025 Volker Theile
#
# OpenMediaVault is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# any later version.
#
# OpenMediaVault is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with OpenMediaVault. If not, see <https://www.gnu.org/licenses/>.
MAILTO=""

export LC_ALL=C.UTF-8

. /etc/default/openmediavault
. /usr/share/openmediavault/scripts/helper-functions

OMV_SSL_CERTIFICATE_PREFIX=${OMV_SSL_CERTIFICATE_PREFIX:-"openmediavault-"}
OMV_SSL_CERTIFICATE_CHECK_EXPIRY_DAYS=${OMV_SSL_CERTIFICATE_CHECK_EXPIRY_DAYS:-"7"}
OMV_SSL_CERTIFICATE_CHECK_EXPIRY_ENABLED=${OMV_SSL_CERTIFICATE_CHECK_EXPIRY_ENABLED:-"yes"}

set -e

# Exit immediately if SSL cert checking is disabled.
! omv_checkyesno "${OMV_SSL_CERTIFICATE_CHECK_EXPIRY_ENABLED}" && exit 0

omv_syslog_info "Perform a check for expired SSL certificates."
for f in /etc/ssl/certs/"${OMV_SSL_CERTIFICATE_PREFIX}"*.crt ; do
  [ -f "${f}" ] || continue

  omv_syslog_info "Validating the SSL certificate ${f} ..."

  enddate=$(openssl x509 -enddate -noout -in "${f}" | sed "s/.*=\(.*\)/\1/" | awk -F " " '{print $1,$2,$3,$4}')
  enddate_seconds=$(date -d "${enddate}" +%s)
  now_seconds=$(date -d now +%s)
  datediff_days=$(( (enddate_seconds - now_seconds) / (60 * 60 * 24) ))

  if [ "${datediff_days}" -le "${OMV_SSL_CERTIFICATE_CHECK_EXPIRY_DAYS}" ] && [ "${datediff_days}" -gt 0 ]; then
    omv_syslog_warning "The SSL certificate ${f} expires in ${datediff_days} days."
    subject=$(openssl x509 -subject -noout -in "${f}" | sed "s/subject=\(.*\)/\1/")

    # Send a notification by email?
    if omv_is_notifications_enabled && omv_is_notification_enabled_by_id "misc"; then
      (
        echo "The SSL certificate ${f} expires in ${datediff_days} days.";
        echo ""
        echo "Subject: ${subject}"
        echo "Expiration date: ${enddate}"
      ) | mail -E -s "A SSL certificate expires in ${datediff_days} days" root
    fi
  else
    omv_syslog_info "The SSL certificate $(basename ${f}) is valid."
  fi
done
